Amazon patches Key flaw that it dismissed as not 'real-life'

Amazon has rolled out an update for a security flaw in its Key smart lock which the company had claimed wasn't an issue. Amazon Key is a system which lets delivery drivers place parcels inside your home. The attack could let anyone through the door.

Deauthentication attack

The exploit was revealed earlier this month by a security researcher known as "MG." He developed an extension of an earlier attack demonstrated by Rhino Security Labs. Whereas the original version focused on an "evil delivery driver," MG explored how a regular malicious hacker could abuse Key to enter a person's home.

MG automated the attack by using a Raspberry Pi installed near the door. The Pi can search for nearby Amazon Cloud Cams by identifying the device's wireless signature. Once a camera has been found, its activity is then monitored to reveal when a delivery person is approaching.

As a driver nears the door, the Cloud Cam's activity increases as it starts to capture and upload photos of the delivery. The Pi uses this to identify when the door is about to be unlocked. A deauthentication attack is then deployed to force the camera to interrupt as the door bolt unlocks, which creates an error unknown to the app.

The end result is the door remains unlocked but the homeowner still gets told it has been bolted after the delivery. MG's extended version of the attack even records and replays the sound of the lock motor, convincing the user that the door really has been secured. There's no way for the user to know that their home is at imminent risk of a security breach.

"Frustrating" disclosure

After developing a proof-of-concept video of the exploit, MG contacted Amazon. The company reached out and began working with the researcher to learn about the attack. However, while MG was still engaging with the engineers, Amazon's PR team began to talk publicly about the flaw. The company claimed it wasn't a "real-life delivery scenario" and told users it shouldn't be treated as a security issue.

Amazon also explained the entire attack to Forbes, even though it had not yet released a fix. MG described Amazon's disclosure procedures as "frustrating" and "annoying," claiming engineers could have responded more effectively if the overall process was revised.

"I was impressed with the security response team," wrote MG in a Medium post. "They would later ask for code, which was a bit frustrating in context of the initial 'lol we won't give you anything but do work for us' interaction with Amazon. This team could do a lot more if Amazon structured their disclosure process better."

Amazon has now addressed the problem in an update for its iOS and Android apps. With the update installed, the user gets alerted if the app can't reliably confirm the door has been locked. The company hasn't acknowledged the confusion around its disclosure of the attack. MG noted the Amazon Key model still has several potential security holes, including the requirement you disable your home's alarm system so delivery drivers can gain access.

Amazon Key launched last year as a more convenient way to receive home deliveries. Amazon hopes that people will warm up to the idea of strangers entering their home to leave parcels securely. The initial response has been mixed though, with security incidents like this demonstrating why people are sceptical of smart lock technology.